date: 2012-11-28

id: OSSA-2012-018

title: 'EC2-style credentials invalidation issue'

description: 'Vijaya Erukala reported a vulnerability in Keystone EC2-style credentials

  invalidation: when a user is removed from a tenant, issued EC2-style credentials
  would continue to be valid for that tenant. An authenticated and authorized user
  could potentially leverage this vulnerability to extend his access beyond the account
  owner expectations. Only setups enabling EC2-style credentials (for example enabling
  EC2 API in Nova) are affected.'

reference: http://lists.openstack.org/pipermail/openstack-announce/2012-November/000055.html

affected-products:

  - product: keystone
    version: All versions

vulnerabilities:

  - cve-id: CVE-2012-5571
    impact-assessment:
      source: 'Red Hat Product Security'
      rating: moderate
      assessment:
        type: CVSS2
        score: 4.0
        detail: AV:N/AC:L/Au:S/C:N/I:P/A:N
    classification:
      source: 'Red Hat Product Security'
      type: CWE
      detail: TODO

reporters:

  - name: 'Vijaya Erukala'
    affiliation: UNKNOWN
    reported:
      - CVE-2012-5571

issues:

  links:
    - https://launchpad.net/bugs/1064914

  type: launchpad

reviews:

  grizzly:
    - https://review.openstack.org/#/c/16028

  folsom:
    - https://review.openstack.org/#/c/16304

  essex:
    - https://review.openstack.org/#/c/16760

  type: gerrit